Safe test arrangement

ABSTRACT

A flexible test arrangement for performing measurements on a test object. A plurality of safety components, each having a safety module which can be set to active or inactive, and having a ready status which can be set to active or inactive, is provided in a circular test arrangement. Each of the safety components carries out a number of function tests cyclically. As one of the function tests, a cyclical, error-free reception of a data packet is tested. One of the safety components is selected as a bus master which cyclically transmits a bus verification signal in a data packet to the safety component which is adjacent in the direction of transmission, wherein the bus verification signal is relayed by each of the safety components in a data packet, and, when said bus verification signal is received in a data packet, the bus master determines that the circular test arrangement is closed.

The present invention relates to a method for operating a testarrangement comprising a plurality of safety components, wherein thesafety components each have a signal input for receiving data packetsand a signal output for transmitting data packets, wherein the safetycomponents each have a safety module which can be set to active orinactive, and have a ready status which can be set to active orinactive, wherein the safety module of a safety component is set toinactive if the ready status of the associated safety component is setto inactive.

A test device can be used to perform measurements on dangerous testobjects, such as current transformers. Because a dangerous test objectcan store a dangerous amount of energy, adequate safety precautions mustbe taken when performing measurements. For this reason, the test devicecan be expanded to a test arrangement with additional components. Forexample, a hazardous work area can be provided with warning lights andemergency stop switches as components. Emergency stop switches canenable current and voltage amplifiers in the test device to be switchedoff quickly and safely. Warning lamps, on the other hand, can indicate,for example, whether the test object or the work area is safe(discharged) or unsafe (live). A lockout feature for the testing devicecan be provided as a further component in order to prevent switching onwithout authorization. Activating a lockout feature can be an importantsafety aspect, especially when a person is working on the cabling. Atest arrangement usually includes a number of components, including testdevices, warning lamps, emergency stop switches, lockout features, etc.

One way to set up such a test arrangement is to use a safety circuitwith discrete signals. The components of the test arrangement areconnected to one another via a safety field bus, with the componentscommunicating via securely implemented signals. For this reason, safetyfieldbuses are configured and tested by the manufacturer. For safetyreasons, the user cannot and must not change the safety fieldbus. Forthis reason, it is not possible for the user to integrate additionalcomponents into the test arrangement, or to transmit additionalinformation—for instance, for diagnostic purposes. Therefore, inaddition to high safety standards with regard to communication betweenthe components, it is also desirable for all components to have a longservice life. Since the components are fixed to one another, there is agreat deal of effort involved in the cabling. Furthermore, the processof detecting and avoiding errors in the cabling (cable break, shortcircuit, crosstalk, etc.) is very complex.

It is therefore an object of the present invention to specify a flexibletest arrangement for carrying out measurements on a test object.

This object is achieved in that the signal inputs and signal outputs ofthe safety components are connected in such a way that the safetycomponents form a circular test arrangement with a direction oftransmission for the data packets, wherein the safety components eachcyclically perform a number of function tests, and set their readystatus to active if the number of function tests is successful, and toinactive if at least one of the function tests fails, wherein, as one ofthe function tests, a cyclic, error-free reception of a data packet ischecked. One of the safety components is selected as the bus master,which cyclically transmits a bus verification signal in a data packet tothe safety component which is adjacent in the direction of transmission,wherein the bus verification signal is forwarded by each of the safetycomponents in a data packet, and the bus master, upon receiving the busverification signal in a data packet, determines that the circular testarrangement is closed.

The circular test arrangement thus forms a ring bus which comprises thesafety components. The signal outputs of the safety components are eachconnected in a ring to the signal inputs of the further safetycomponents, such that the test arrangement has exactly one direction oftransmission for the transmission of data packets. In order to checkwhether the circular test arrangement is closed, one of the safetycomponents is designated as the bus master. The bus master cyclicallytransmits a bus verification signal in a data packet via the safetycomponents of the test arrangement, with the individual safetycomponents each forwarding the bus verification signal in a data packet.If the bus verification signal arrives again at the bus master, it candetermine that the test arrangement is closed. The cycle time fortransmitting data packets is preferably 10 ms to 100 ms, althoughshorter cycle times improve the response time, particularly in the eventof a failed function test.

Whether or not the safety component actually has an active readinessstate depends on the type of safety component and the correspondingfunction tests.

In contrast to prior art safety buses, the transmission of the datapackets between the safety components themselves does not have to besecure. Instead, the safety components carry out a number of functiontests, wherein at least one essential function test takes place in theform of a check for a cyclic, error-free reception of a data packet. Inaddition to this function test, further function tests can be carriedout. The ready status of each of the respective safety components isonly set to active if all function tests are successful. If one or moreof the function tests fails, the ready status of the safety component isset to inactive. Such a communication link between the safety componentsis referred to as what is known as a “black channel,” which means thatthe communication between the safety components is not regarded asfunctionally secure.

If a closed circular test arrangement is determined, the bus masterpreferably checks cyclically whether its ready status is active and, ifthe ready status is active, transmits a ready signal in a data packet tothe adjacent safety component in the direction of transmission, whereinthe safety components check whether their ready status is active whenthey receive the ready signal, and in the case of an active readystatus, transmit a ready signal in a data packet to the safety componentwhich is adjacent in the direction of transmission.

If the bus master determines that the circular test arrangement isclosed, by receiving the bus verification signal, and if its readystatus is active, the bus master transmits a ready signal to theadjacent safety component in the direction of transmission, i.e., to thesafety component whose signal input is connected to the signal output ofthe bus master. This safety component receives the ready signal andchecks its own ready status. If its ready status is active, this safetycomponent transmits the ready signal in a data packet to the adjacentsafety component in the direction of transmission, etc. In contrast tothe bus verification signal, the ready signal is not necessarilyforwarded in the data packets to the bus master when the circular testarrangement is closed—only if all safety components actually have anactive ready status.

Upon receipt of the ready signal, the bus master preferably determinesthat the test arrangement is ready for operation, and transmits anactivation signal in a data packet to the safety component which isadjacent in the direction of transmission, wherein the safety componentsactivate their safety module upon receipt of an activation signal, andforward the activation signal in a data packet.

If all safety modules are active, then the test arrangement isactivated, and safety-relevant information can be exchanged by thesafety components. Safety-relevant information is information that isrequired to carry out the measurement in the test setup.

The test arrangement thus only offers a functionally securecommunication channel for transmitting and receiving safety-relevantinformation if all safety components have an activated safety module. Ifthis is the case, a summary of all safety components in the testarrangement can also be provided as safety-relevant information betweenthe safety components.

The safety components can include, for example, output units foroutputting safety-relevant information, input units for inputtingsafety-relevant information, power units for inputting/outputtingsafety-relevant information, etc. However, a safety component can onlyread safety-relevant information from data packets and/or write it todata packets if a safety module of a safety component is active.

For example, enabling units for enabling the test arrangement, or keyswitches for securing the test arrangement against unauthorized persons,can be provided as input units. Likewise, blocking units, such asemergency stop switches for deactivating individual or all safetycomponents or their functions, can be provided as input units. Likewise,start switches can be provided for the final enabling of the measurementby the test arrangement.

Power units such as current amplifiers, voltage amplifiers, and “switchboxes” which switch off dangerous voltages/currents, etc. can beprovided in safety components. If the safety module is inactive, it mustbe ensured that the power units are switched off.

Warning lamps or display units for measured values can be provided asoutput units, with a warning color (e.g. red) being displayed for anactive power unit and a standby color (e.g. green) being displayed for ade-energized power unit.

A safety component may include one or more output units, input units,power units, or a combination thereof.

For example, a safety component can trigger an emergency stop on thebasis of received safety-relevant information in a data packet. Thisemergency stop is again transmitted as safety-relevant information in adata packet, with another safety component reading out thissafety-relevant information and displaying a warning light. A furthersafety component can, for example, deactivate its power unit. Adangerous state of a power unit of a safety component can also betransmitted as a data packet as safety-relevant information, and can inturn be read out and output. For example, the definition of “hazard” inthe IEC 61508 standard, preferably in Edition 2.0, or the ISO 13849standard, preferably in the ISO 13849-1:2015, ISO 13849-2:2012 version,can be regarded as dangerous.

After a ready signal has been transmitted and when a ready signal is notreceived, the bus master preferably transmits an emergency stop signalin a data packet to the safety component which is adjacent in thedirection of transmission, and the safety components deactivate theirsafety module each time the emergency stop signal is received, andforward the emergency stop signal in a data packet. If the bus masterdoes not receive its ready signal back within the scheduled cycle, itconcludes that at least one safety component has an inactive readystatus. Subsequently transmitting an emergency stop signal can ensurethat all safety modules of all safety components are also inactive.

After a bus verification signal has been transmitted, and if a busverification signal is not received, the bus master preferably transmitsan emergency stop signal in a data packet to the safety component whichis adjacent in the direction of transmission, and the safety componentsdeactivate their safety module upon receipt of the emergency stopsignal, and forward the emergency stop signal in a data packet. In thisway, in particular in the event of a break in the ring, and of aconfiguration of the safety components in which they always transmit adata packet even if they do not receive a data packet, it can be ensuredthat all safety modules are actually deactivated.

The safety components preferably carry out a safety test and, if thesafety test fails, deactivate their ready status and transmit anemergency stop signal in a data packet to the safety component which isadjacent in the direction of transmission, wherein the safety componentsdeactivate their safety module upon receipt of the emergency stopsignal, and transmit the emergency stop signal in a data packet. Duringthe safety test, functions of the safety components that aresafety-critical are checked. If the safety test fails, the ready status,and thus also the safety module, are deactivated immediately, and a datapacket with an emergency stop signal is also transmitted immediately inorder to deactivate all other safety modules of all other safetycomponents as quickly as possible.

The bus master is preferably selected via a component identification ofthe safety components. The safety component with the lowest componentidentifications is preferably selected as the bus master.

The safety components can transmit a component identification with thebus verification signal in the data packet, with the bus masteridentifying the safety components by the component identificationsreceived with the bus verification signal.

The bus master preferably transmits the component identifications backto the respective safety components in a data packet, with a safetycomponent setting its ready status to inactive if it does not receiveits identification back from the bus master.

The bus verification signal, the ready signal, the activation signal,the emergency stop signal, etc. can be transmitted by the bus master inthe same data packet, or in individual data packets. If the busverification signal and the ready signal are transmitted in one datapacket, then, when the bus master receives the ready signal in the datapacket, it can be determined that the circular test arrangement is stillclosed. Only if the data packet also contains a ready signal when it isreceived by the bus master can the bus master determine that all safetycomponents have an active ready status.

If the safety modules are active, the safety-relevant information canalso be transmitted via the same data packet—such as the busverification signal, the ready signal, the activation signal, theemergency stop signal, etc.

In the following, the present invention is described in greater detailwith reference to FIGS. 1 to 6 , which show, by way of example,schematic and non-limiting advantageous embodiments of the invention. Inthe drawings:

FIG. 1 is a safety component,

FIG. 2 is a test arrangement comprising three safety components,

FIG. 3 is the transmission of a bus verification signal,

FIG. 4 a is a transmission of a ready signal, wherein a safety componenthas an inactive ready status,

FIG. 4 b is a transmission of a ready signal, wherein all safetycomponents have an active ready status,

FIG. 5 is a transmission of an activation signal,

FIG. 6 a is a break in the ring,

FIG. 6 b is a transmission of an emergency stop signal.

A safety component 11, 12, 13 is shown in FIG. 1 . The safety component11, 12, 13 has a signal input Rx for receiving data packets DP1, DP2,DP3 and a signal output Tx for transmitting data packets DP1, DP2, DP3,The safety component 11, 12, 13 also has a ready status r, which can beset to active or inactive. The safety component 11, 12, 13 includes asafety module M, which can be set to active or inactive, but is alwaysset to inactive when the ready status is inactive. However, this doesnot mean that the safety module M always has to be set to active whenthe ready status r is active.

The safety component 11, 12, 13 carries out at least one function test Tcyclically. If all function tests T are successful, the ready status ris set to active. If only one function test T fails, the ready status ris set to inactive, which means that the safety module M is also set toinactive, or remains inactive if it was already inactive.

In the figures shown, an active ready status r, as well as an activesafety module M, is represented in general as “1,” and an inactive readystatus r, as well as an inactive safety module M, is represented ingeneral as “0.” A failed function test T is shown as a crossed-out. T:if the function test T is successful, it is shown as a T.

FIG. 2 shows the construction of a test arrangement made up of aplurality of safety components 11, 12, 13 as described with reference toFIG. 1 . The safety components 11, 12, 13 are connected to one anotheras a circular test arrangement in the form of a ring bus, by connectinga signal input Rx of a safety component 11, 12, 13 to a signal output Txof another safety component 11, 12, 13. In FIG. 2 , for example, thesignal output Tx of the first safety component 11 is connected to thesignal input Rx of the second safety component 12, the signal output Txof the second safety component 12 is connected to the signal input Rx ofthe third safety component 13, and the signal output Tx of the thirdsafety component 13 is connected to the signal input Rx the first safetycomponent 11.

Of course, the number three for the number of safety components 11, 12,13 is only selected as an example in the drawings shown; the testarrangement can include any number of safety components 11, 12, 13.

As a function test T, the safety components 11, 12, 13 carry out atleast one check of a cyclic, error-free reception of a data packet. DRThis can be done, for example, via a checksum check, a sequence check, atimeout, etc. This check for error-free reception of the data packets DPestablishes a so-called black channel between the safety components 11,12, 13.

If all function tests T of a safety component 11, 12, 13 are successfulin a current cycle, the ready status r of this safety component 11, 12,13 is set to active, if it is not already active. If the safety module Mand the ready status r were already set to active, the safety module Mremains activated—unless another security precaution deactivates thesafety module M. In FIG. 2 , only the essential function test T(DP1),T(DP2), T(DP3) of a check for the cyclic, error-free reception of a datapacket DP is provided on one of the safety components 11, 12, 13. Ifthis function test T(DP1), T(DP2), T(DP3) fails, the respective readystatus r is set to inactive; if the function test T(DP1), T(DP2), T(DP3)is successful—which in this case means that “all” function tests T foreach safety component 11, 12, 13 are successful, because this is theonly function test T provided—the ready status r is set to active.

According to the invention, one of the safety components 11, 12, 13 isalso selected as the bus master BM, wherein the bus master BM can beselected using a component identification, such as an identificationnumber UID, of the safety components 11, 12, 13. For example, thatsafety component 11, 12, 13 with the lowest identification number UIDcan be selected. In FIG. 3 , the first safety component 11 with the UID1is selected as the bus master BM, by way of example. According to theinvention, the bus master BM checks whether the safety components 11,12, 13 actually form a circular test arrangement—that is, a ring bus. Todo this, the bus master BM transmits a bus verification signal B in adata packet DP1 to the safety component which is adjacent in thedirection of transmission, in this case the second safety component 12.If there is a connection between the safety components 11, 12, 13, thebus verification signal B is received via the signal input Rx in a datapacket DP1, DP2, DP3, and forwarded via the signal output Tx, by allsafety components 11, 12, 13 present in the ring bus.

Since each safety component 11, 12, 13 thus expects a periodic datapacket DP1, DP2, DP3 (with a bus verification signal B), an (essential)function test T can be to check that this data packet DP is receivedcyclically without errors. If the data packet DP1, DP2, DP3 is notreceived as expected, or if the error check and thus the (essential)function test T fail, the respective safety components 11, 12, 13deactivate their ready status r.

In this case, the safety component 11, 12, 13 can optionally alsotransmit an emergency signal N in a data packet DP1, DP2, DP3, which isforwarded by all safety components 11, 12, 13 in a data packet DP1, DP2,DP3, and all safety components 11, 12, 13 that receive the emergencysignal deactivate their safety module M, which represents a furthersecurity mechanism.

In FIG. 3 , the first safety component 11 as bus master BM thustransmits the bus verification signal B via its signal output Tx in adata packet DP1 to the signal input Rx of the second safety component12. The second safety component 12 transmits the bus verification signalB in a data packet DP2 via its signal output Tx to the signal input Rxof the third safety component 13, and the third safety component 13further transmits the bus verification signal B in a data packet DP3 viaits signal output Tx to the signal input Rx of the first safetycomponent 11, which represents the bus master BM. Of course, the busmaster BM only receives the bus verification signal B when the ring busis closed. It can thus be ensured by the bus master BM, by receiving thebus verification signal B, that the ring bus is closed.

The safety components 11, 12, 13 are advantageously designed in such away that they each transmit their identification number UID1, UID2, UID3with the bus verification signal B in the data packet, as also shown inFIG. 3 . Correspondingly, the bus master BM can be designed to identifythe safety components 11, 12, 13 using the identifications UID1, UID2,UID3 received with the bus verification signal B. As shown in FIG. 3 ,the second safety component 12 receives the bus verification signal Bwith the data packet DP1 from the bus master BM, adds its identificationnumber UID2, and transmits the data packet DP2 with the bus verificationsignal B to the third safety component 13. This in turn adds itsidentification number UID3 and transmits the bus verification signal Bin a data packet DP3 to the first safety component 11, which constitutesthe bus master BM. In the data packet DP with the bus verificationsignal B, the bus master BM not only receives the information that thering bus is closed, but also the identification numbers UID2, UID3 ofthe other safety components 12, 13; the bus master BM already knows itsown identification number UID1. The safety components 11, 12, 13 in thetest arrangement are therefore known to the bus master BM via theiridentification numbers UID1, UID2, UID3.

The safety components 11, 12, 13 continue to carry out cyclical functiontests T, and in any case at least the essential function test T, bychecking for a cyclic, error-free reception of data packets (DP1, DP2,DP3). The function tests T are not shown in FIGS. 3 to 5 for reasons ofclarity.

Likewise, the bus master BM continues to carry out a check for a closedcircular test arrangement by transmitting a bus verification signal B.

The bus master BM could now also transmit the respective identificationnumbers UID2, UID3 back to the respective safety components 12, 13 (notshown). In this way, each safety component 11, 12, 13 can itself checkwhether the ring bus is actually closed. The safety components 12, 13can preferably be configured in such a way that they set their readystatus r to inactive if they do not receive their identification numberUID2, UID3 back from the bus master BM, since this indicates an error inthe ring bus.

If the bus master BM receives the bus verification signal B via itssignal input Rx (which establishes that the ring bus is closed), and ifthe ready status r of the bus master BM is active, the bus master BMtransmits a ready signal R in the data packet DP via its signal outputTx to the adjacent safety component 12 in the direction of transmission(in this case, the second), as shown in FIG. 4 a, b . Upon receiving adata packet DP1, DP2, DP3 with a ready signal R, each safety component11, 12, 13 checks whether its ready status r is active. If the readystatus r is inactive, each respective safety component 11, 12, 13 doesnot transmit a ready signal R in the data packet DP1, DP2, DP3. However,if a safety component 11, 12, 13 receives a ready signal R in the datapacket DP and if its ready status r is active, the safety component 11,12, 13 also transmits a ready signal R via its signal output Tx in adata packet to the signal input Rx of the safety component 11, 12, 13connected to it.

In FIG. 4 a it is assumed that the third safety component 13 has aninactive ready status r. The ready signal R is thus routed in a datapacket DP1 from the bus master BM to the second safety component 12.Since the second safety component 12 has an active ready status r, itforwards the ready signal R to the third safety component 13 in a datapacket DP2. However, the third safety component 13 has an inactive readystatus r, and therefore does not forward the ready signal R in the datapacket DP3 to the first safety component 11 (in this case, the busmaster BM). The bus master BM thus concludes that not all safetycomponents have an active ready status r=1.

If the bus master BM does not receive the ready signal R, itadvantageously transmits an emergency stop signal N in a data packet DP1(not shown), which is forwarded by the safety components 11, 12, 13.Upon receipt of the emergency stop signal N, the safety components 11,12, 13 switch their safety module M to inactive, if it is not alreadyinactive. This provides an additional safety precaution, and ensuresthat all safety modules M are inactive.

In contrast, it is assumed in FIG. 4 b that all safety components 11,12, 13 have an active ready status r. Thus, the ready signal R is onlyrouted in the data packet DP1 to the second safety component 12, which,because of its active ready status r, routes the ready signal R in thedata packet DP2 to the third safety component 13. Due to its activeready status r, the third safety component 13 routes the ready signal Rin the data packet DP3 to the first safety component 11, whichconstitutes the bus master BM. The bus master BM thus establishes thatall safety components 11, 12, 13 have an active ready status r, and thusdetermines an operational test arrangement. It should be noted that bothwith an active ready status r (FIG. 4 b ) and an inactive ready status r(FIG. 4 a ) of the third safety component 13, the bus master BM receivesthe bus verification signal B in the data packet DP3, This means that inboth cases, the circular test arrangement is closed. If this were notthe case, then the bus master BM would not receive any data packet DP3,and therefore no bus verification signal B (and of course no readysignal R, etc.).

FIG. 5 shows the situation in which the bus master BM has alreadyestablished that the test arrangement is ready for operation, byreceiving the ready signal R. The bus master BM therefore transmits anactivation signal A to all other safety components 12, 13, i.e, in adata packet DP1 to the adjacent safety component connected in thedirection of transmission (in this case, the second safety component12), which in turn transmits the activation signal A in a data packetDP2 to the adjacent safety component connected in the direction oftransmission (in this case, the third safety component 13), etc. Theother safety components 12, 13 switch their safety module M to activeupon receipt of the activation signal A in the data packet DP, whichmeans that the circular test arrangement is active.

The safety components 11, 12, 13 are only allowed to transmit andreceive safety-relevant information M1, M2, M3 if the safety module M isactive in each case. In FIG. 5 , it is assumed that all safetycomponents 11, 12, 13 have already received an activation signal A/stillreceive it cyclically.

The first safety component 11 includes an input unit, for example aswitch, and due to an activated safety module M, it can addsafety-relevant information M1 to the data packet DP1. For example, ameasurement start command can be instructed by the first safetycomponent 11 as safety-relevant information M1.

The second safety component 12 comprises a power unit. Since its safetymodule M is activated, the second safety component 12 can thus read outsafety-relevant information M1 from the data packet DP1, as well as addsafety-relevant information M2 to the data packet DP2. For example, thesecond safety component 12 can activate its power unit from thesafety-relevant information M1 originating from the first safetycomponent 11 in the form of a measurement start command, and also addsafety-relevant information M2 in the form of measured values to thedata packet DP2.

The third safety component 13 comprises an output unit which can nowoutput safety-relevant information M1, M2 contained in the data packetDP2, for example safety-relevant information M1 originating from thefirst safety component 11 with regard to the input unit, such as ameasurement start command, or safety-relevant information M2 originatingfrom the second safety component 12 with regard to the power unit, suchas a measured value. When the safety module M is activated, the safetycomponents 11, 12, 13 can therefore add safety-relevant information M1,M2, M3 to a data packet DP1, DP2, DP3 and/or read it out of a datapacket DP1, DP2, DP3—depending on the design of the safety component 11,12, 13. The input unit, power unit and output unit are only shown inFIGS. 5 and 6 a, since the safety modules M of the safety components 11,12, 13 are only activated here.

In FIG. 5 , as in FIG. 4 , the data packets DP1, DP2, DP3 also containthe bus verification signal B and the ready signal R, with the busmaster BM continuing to monitor a closed circular test arrangement, aswell as an active ready status r of all safety components 11, 12, 13.

The safety components 11, 12, 13 can also carry out a security test S(not shown) and, if the security test fails, deactivate their safetymodule M and emit an emergency stop signal N in a data packet DP1, DP2,DP3 to the other safety components 11, 12, 13, which, upon receipt ofthe emergency stop signal N, not only forward it in a data packet DP1,DP2, DP3, but also disable their safety module M. A failed security testS thus immediately leads to a data packet DP1, DP2, DP3 beingtransmitted with an emergency stop signal N in order to deactivate thesafety modules M of all safety components 11, 12, 13. An emergency stopsignal N can also be transmitted by the bus master BM if the bus masterBM does not receive back the activation signal A that it transmitted atthe signal input Rx in a data packet DP3.

In contrast to a safety test S, failure of a function test T (which isnot safety-critical) only leads to an inactive ready status r of saidsafety component 11, 12, 13. This inactive ready status r is onlyrecognized by the bus master BM when it transmits a ready signal R anddoes not receive it. The other safety components 11, 12, 13 whosefunction tests T fail can remain in the active ready status r.

A break in the ring is shown in FIGS. 6 a, b , i.e., an interruption inthe communication line between the second safety component 12 and thethird safety component 13. It is assumed that the break in the ring inFIG. 6 a occurs after the bus master BM has received the data packetDP3, which means that the bus master BM still has no indication of thebreak in the ring when the data packet DP1 is sent. The data packet DP1with the bus verification signal B (and in this case, also a readysignal R, activation signal A, and safety-relevant information M1, M2,M3) thus reaches the second safety component 12, which at this point intime has also not yet detected a break in the ring, and thus transmits adata packet DP2, which, however, does not arrive at the third safetycomponent 13.

The third safety component 13 is configured in this case in such a waythat it does not transmit any data packet DP3 if it does not receive anydata packet DP2. The cyclic function test T of the bus master BM thusfails, and the bus master BM would deactivate its ready status r. Thebus master BM thus sets its ready status r to inactive and transmits adata packet DP with an emergency stop signal N in order to deactivatethe safety modules M of all safety components 11, 12, 13. The emergencysignal N reaches the second safety component 12 in the data packet DP1,with the result that the safety module M of the second safety component12 is deactivated.

If the third safety component 13 were configured in such a way that italso transmits a data packet DP3 if it does not receive a data packetDP2 (not shown), the essential function test T of the bus master BMwould be successful, with the bus master BM leaving its ready status ractive. In this case, it is advantageous if the bus master BM isconfigured in such a way that it transmits an emergency stop signal N ifit does not receive a bus verification signal B. However, the bus masterBM would still not receive a bus verification signal B due to the breakin the ring, and would therefore transmit an emergency stop signal N inthe data packet DP1 if it was configured in this way. In the event of abreak in the ring, the bus master BM does not receive a bus verificationsignal B in any case, and thus determines that the circular testarrangement is no longer closed (FIG. 613 ).

However, because of the break in the ring, the second safety component12 cannot transmit the emergency signal N to the third safety component13 in the data packet DP2. However, the third safety component 13cyclically carries out at least one essential function test T(DP) andwaits for at least one data packet DP2 for the verification. Thisfunction test T thus fails, with the result that the third safety module13 switches its operating status r to inactive, with the result that thesafety module M is also switched to inactive.

The first and third safety components 11, 12, 13 thus remain with aninactive safety module M in the test arrangement shown. The secondsafety component 12 can have an active ready status r, provided that noassociated function tests T fail. However, this is only possible if thefirst safety component 11 is configured in such a way that it transmitsa data packet DP even if it does not receive a data packet DP (forexample, with a bus verification signal B), since otherwise theessential function test T of the second safety component 12 would fail.

The test arrangement can now, for example, be supplemented in a simplemanner by additional safety components between the second safetycomponent 12 and the third safety component 13. Alternatively, adifferent arrangement of safety components 11, 12, 13 can be made, orthe break in the ring can simply be closed.

Only when the break in the ring has been remedied is, as describedabove, a bus master BM determined, a data packet DP1, DP2, DP3 with abus verification signal B transmitted to determine a closed circulartest arrangement, a data packet DP1, DP2, DP3 with a ready signal Rtransmitted, and, as long as all safety components 11, 12, 13 have anactive ready status r, an activation signal A for activating the safetymodules M of the safety components 11, 12, 13 of the test arrangementtransmitted. Safety-relevant information M1. M2, M3 can then beexchanged between the safety components 11, 12, 13 again.

1. A method for operating a test arrangement comprising a plurality ofsafety components, wherein the safety components each have a signalinput for receiving data packets and a signal output for transmittingdata packets, wherein each of the safety components has a safety modulethat can be set to active or inactive, and a ready status that can beset to active or inactive, wherein the safety module of a safetycomponent is set to inactive when the associated safety component has aninactive ready status, wherein the signal inputs and signal outputs ofthe safety components are connected in such a way that the safetycomponents form a circular test arrangement with a direction oftransmission for the data packets, wherein the safety components eachcyclically carry out a number of function tests, and set their readystatus to active if the number of function tests is successful and toinactive if at least one of the function tests fails, wherein one of thefunction tests is checking for a cyclic, error-free reception of a datapacket, and wherein one of the safety components is selected as the busmaster, which cyclically transmits a bus verification signal in a datapacket to the adjacent safety component in the direction oftransmission, wherein the bus verification signal is forwarded in eachcase by the safety components in a data packet, and in that the busmaster, upon receipt of the bus verification signal in a data packet,determines that the circular test arrangement is closed.
 2. The methodaccording to claim 1, wherein the bus master, upon determining that thecircular test arrangement is closed, cyclically checks whether its readystatus is active and, if the ready status is active, transmits a readysignal in a data packet to the adjacent safety component, and whereinthe safety components, upon receipt of the ready signal, each checkwhether their ready status is active, and, if the ready status isactive, transmit a ready signal in a data packet to the adjacent safetycomponent in the direction of transmission.
 3. The method according toclaim 2, wherein the bus master, upon receipt of the ready signal,determines that the test arrangement is operational, and transmits anactivation signal in a data packet to the adjacent safety component inthe direction of transmission, wherein the safety components, uponreceipt of an activation signal, each activate their safety module, andforward the activation signal in a data packet.
 4. The method accordingto claim 3, wherein the bus master, after transmitting a ready signaland not receiving a ready signal, transmits an emergency stop signal ina data packet to the adjacent safety component in the direction oftransmission, wherein the safety components each deactivate their safetymodule upon receipt of the emergency stop signal, and forward theemergency stop signal in a data packet.
 5. The method according to claim1, wherein the bus master, after transmitting a bus verification signaland not receiving a bus verification signal, transmits an emergency stopsignal in a data packet to the adjacent safety component in thedirection of transmission, wherein the safety components each deactivatetheir safety module upon receipt of the emergency stop signal, andforward the emergency stop signal in a data packet.
 6. The methodaccording to claim 1, wherein the safety components carry out a safetytest, and if the safety test fails, the respective safety componentsdeactivate their ready status (r), and transmit an emergency stop signalin a data packet to the adjacent safety component in the direction oftransmission, wherein the safety components deactivate their safetymodule upon receipt of the emergency stop signal, and transmit theemergency stop signal in a data packet.
 7. The method according to claim1, wherein the bus master is selected via a component identification ofthe safety components, and preferably the safety component with thelowest component identification is selected as the bus master.
 8. Themethod according to claim 1, wherein the safety components transmit acomponent identification with the bus verification signal in the datapacket, and in that the bus master identifies the safety components bythe component identifications received with the bus verification signal.9. The method according to claim 8, wherein the bus master transmits thecomponent identifications back to the respective safety components in adata packet, and a safety component sets its ready status to inactive ifit does not receive its identification back from the bus master.